Negative on the blanks, but yes to the occasional dupe. I thought I
remembered Tony saying that he was aware of it, but I don't remember if
he mentioned any sort of resolution.
- Laura
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Hunter, Laura E.
Sent: Sunday, August 28, 2005 7:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
Oddly enough, this exact topic came up in a dinner
You might want to fire up regmon to see what is causing the setup to fail. I
had a similar situation a few weeks ago and we figured out (*waves at Dean*)
that there was a ServicePackBuild registry entry under
HKLM\Software\Exchange\Setup that didn't get correctly re-populated during the
Oddly enough, this exact topic came up in a dinner conversation at Tech
Ed this year.[1] Luther...oh heck somebody remind me of his last
name...had apparently quizzed people with this one at a previous
conference (DEC?), only to utimately reveal that the answer was You
know how people always ask
What Deji said.
Document the risks of what is being done, document what you think would be a
better and more secure solution, and document what you will need to do on the
remainder of your network to compensate for this insecurity (if that's even
possible). Then hand it to this person in
Unless I'm misunderstanding your question, this should be very similar
to what you used to export computer information with csvde, just using a
different ldap filter to grab the info you're looking for this time
'round. Adfind or dsquery should also fit the bill here as well.
- Laura
RE:
Are you running 2003 AD? You can use WMI filtering to dynamically restrict how
a GPO is applied:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/6237b9b2-4a21-425e-8976-2065d28b3147.mspx
(That link includes an example of a WMI filter that filters on Windows XP
... and as for being older than you, I've got shirts in my
closet older than
you.
Come to think of it, I'm wearing one -right now-!
;-P
(As the list of nicknames I have for Mr. Wells just grows and grows:
Data, 007, Mr. Bond.)
List info : http://www.activedir.org/List.aspx
List FAQ
Good Lord, I can practically hear it from here:
Dean Bloody Americans. /Dean
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 08, 2005 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Gone Badly
LSL
NE3200
IPXODI
VLM
C:\F:
F:\LOGIN
... ah, even now I get a gooey comfortable feeling. :o)
You may call it a gooey comfortable feeling, Dean, but I'm having
screaming-nightmare flashbacks over here! ;-)
I actually think that Novell lost the race when they had that CEO
(damned
Dean sent a script to the list awhile ago that will change it for all
DCs...
...
*digs around* I know it's here somewhere.
Hah!
-Original Message-
From: Medeiros, Jose [mailto:[EMAIL PROTECTED]
Sent: Friday, August 05, 2005 1:30 PM
To: ActiveDir@mail.activedir.org
Subject:
Oh damn. Apologies for the impending simulpost. :-)
-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Friday, August 05, 2005 1:38 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Changing a authoritative restore
password on a DC
Enclosed is a script
Wait, so we get to talk about Dean AND joe since they can't hear what
we're saying? Wow, this is like manna from heaven! ;-)
-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 02, 2005 10:26 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir]
Everyone is making a number of suggestions/comments that hit home to me,
so rather than chiming in with AOLMe too!/AOL, I'll bring up the one
that makes me crazy that no-one has mentioned yet:
Restoring a domain controller to alternate hardware (think Disaster
Recovery drill at a company like
I saw a number of reports in the newsgroups over this one, where servers
were hanging up on reboot and other similar issues that sprang up as a
result of this.
Almost to a one, the solution went something like 1. Uninstall old
version of Powerchute. 2. Install new version of Powerchute. 3. Poof!
Joe, I suspect we agree to just about all of it except the
chinchilla. I think you should give the chinchilla a shot.
To show support, we've started a web page
http://www.givejoeschinchilla_a_shot.com
(Don't tell the pig.)
Oh man, that one's almost as good as www.shutuplaura.com.
LogParser is a wicked cool utility. I think it got tossed into a
Resource Kit as an afterthought, and then people realized what it could
do and started dancing in the streets.
I second the nod for logparser.com - Mike Gunderloy has put up quite the
useful repository. There's also a section of
Have you explicitly added the cluster service account to the local
Administrators group on the two nodes? I had a few bizarre niggling
cluster issues that were resolved by doing that. Even though the
service account was already a local admin on the box by virtue of group
membership, the cluster
so I guess I should be more careful with when I
say in my book.
You mean like Appendix Q: A Michigander--English dictionary? ;-)
- L
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
I've received a couple of duplicated messages, though not every single
one. (Ironically enough, I got a dup of Brian's Just since the NDR
stuff message just now.)
So no, Brian, it's not just you - or maybe we've both got something
wrong with the drinking water. :-)
-Original Message-
Unless my Google-fu is failing me (and I don't think it is), it looks
like Mike is quoting KB 216498, step 15.
http://support.microsoft.com/?kbid=216498
- Laura
-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Friday, July 01, 2005 1:09 PM
To: Send - AD mailing
Rick
[1] Guido, I certainly HOPE you know I'm just kidding. You
are, in fact
EXTREMELY generous. [2]
[2] However, I still want a free copy... :oP
You do realize that you've taken the concept of email-message-footnotes
to an all new extreme just now, right? ;-)
- Laura
List info
My initial hip-shot would be to look at the Access this computer from
the network user right. (Especially if the user in question can't
access other resources on the same box, as that would increase my
suspicions.)
- Laura
-Original Message-
From: Cothern Jeff D. Team EITC
Very interesting that that's in Group Policy. We used to do something similar
for our Internet kiosks with a teeny homegrown VB app. In that case we pretty
much chose to ignore the user can open 100 windows at once and gum up the
works problem, since the kiosk was on a ridiculously short idle
As is often the case, it's [joe] to the rescue. :-)
http://www.joeware.net/win/free/tools/oldcmp.htm
oldcmp - users will find/disable inactive user accounts in 2K 2K3 AD.
- L
-Original Message-
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 21, 2005 10:55 AM
To:
Brian,
Would the set variables do you any good here? 'echo %userdomain%' will return
the domain name if it's a domain member, or the local computer name if it's in
a workgroup.
- Laura
-Original Message-
From: Brian Desmond [mailto:[EMAIL PROTECTED]
Sent: Sat 6/18/2005 3:34 PM
Showoff. ;-)
(Just kidding, of course, and in all seriousness shoot me a copy so that I can
see how you did it. :-))
- L
-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Sun 6/19/2005 1:56 PM
To: Send - AD mailing list
Cc:
Subject:RE:
Wouldn't the accounts that don't need server access show up as inactive
if you ran them through joe's 'oldcmp'? If so, then couldn't you get a
fair approximation from:
CALs required = [Total user objects] - [user objects flagged by oldcmp]
?
[Insert standard Call your reseller for definitive
Laura, good suggestion. I forgot I could use oldcmp
for users as well. Great tool, Joe.
Thanks
mc
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Hunter, Laura E.
Sent: Thursday, June 16, 2005 3:56 PM
To: ActiveDir@mail.activedir.org
It'll also happen if a container object gets deleted in the same
replication cycle that someone creates an object -within- that
container. So you delete the Foo OU in the same cycle that someone
else creates user JSmith inside of Foo, and JSmith lands in Lost
Found.
- Laura
-Original
H, this last bit just piqued my interest:
[joe]
I think lastKnownParent is only available on objects deleted on a K3 DC.
I.E. If an object hasn't been deleted and if that deletion didn't occur on a
K3 DC, it wouldn't be populated.
[Dean]
Not quite, your statement is true ... but only to a
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Hunter, Laura E.
Subject: RE: [ActiveDir] Lost and found
H, this last bit just piqued my interest:
[joe]
I think lastKnownParent is only available on objects deleted
on a K3 DC.
[Dean]
Not quite
Any software that can back up the Active Directory System State will
allow you to back up and restore your Active Directory database. The
simplest of these is the Backup utility that is included natively with
Windows 200/3, as well as any number of third-party vendors.
See this link for a
Hello all,
Is anyone using 2K3 clustering to create scheduled tasks that can fail
over along with their associated cluster node? I've found info on the
Volume Shadow Copy Service Task resource
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
Anybody know where the registry equivalent of this is, in Windows Server
2003? I've un-checked the appropriate spot in the GUI, but my DC is
automatically restarting when it hits a blue-screen and it's becoming a
cycle I can't get out of. (Guess who's doing a DR drill at Sungard
today?)
Where
\CrashControl]
AutoReboot=dword:
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Thursday, May 12, 2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disable automatic restart registry
(Gotta love how many Exchange questions get fielded to this list, isn't
it?)
Rebuilding an Exchange 2000 server, and received the following error
trying to install the post-SP3 roll-up:
Setup has detected that the version of the service pack installed on
your system is lower that what is
BTW, what is the DC going off to do? If it is retiring, it
has a retirement plan of some sort? I suggest Florida, maybe
in the Palm Beach area. It is beautiful this time of year.
Key West all the way, man, with a stop in Key Largo for snorkeling.
But back on topic - the only thing that's
I run into this a lot; we go to Sungard twice a year to do DR testing
and we never -ever- get identical hardware. It becomes a voodoo dance of
running a repair, occasionally doing an in-place upgrade, and getting
rid of now-extinct metadata and replication entries with ntdsutil and
repadmin.
From
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dmebc_dsm_jxfc.asp
(I promise you that URL wrapped.)
Reducing disk space use, profile size, and logon processing
To save disk space, you can use the Delete cached copies of roaming
profiles policy
Late in replying - been at the Publisher's Conference this week.
I recommend your book a lot as well, in fact there is at
least one list member that has been trying to buy the darn
thing based on my recommendation but can't find it
anywhere I have pointed at a couple of resources, it
AD: Help! I broke it, and I can't go home!
*scribbles down* *steals for future usage* :-)
Laura
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Hello folks, this is driving me batty. Somebody tell me if I'm doing
something wrong, or if this is a case of some sort of
GPO/interoperability weirdness:
Current Configuration:
Single forest, single domain
2 Windows Server 2003 DCs
1 Windows 2000 Advanced server DC
Relevant Group Policy
What version is your 2K DC up to? Is it SP4?
SP4, yes indeed.
That aside, I would expect a setting of 1 to prevent enumeration per
http://support.microsoft.com/kb/246261
I've never had any luck with a setting of 1. 2 has been the only
setting that has prevented enumeration on any 2K
Actually I still haven't read the ADSI section of your book.
I opened it, saw the ADSI piece was first, skipped through it
and got to the LDAP and started reading.
BTW, I should get royalties on that thing. You know how many
people I have made go out and buy that book? Must be
Joe,
Out of curiousity, what do you define as the painful versus really
painful option in 2K3? Now I'm curious. :-)
Laura
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Aramide Adebanjo
Sent: Wednesday, February 16, 2005 1:54 PM
To:
(Gotta get out of the habit of ending my subject lines with ellipses so
that Deji's webmail will be able to open them.)
Hello all,
Playing with a situation in a break-and-fix test lab and am looking for
the...fix:
1. I'm a Domain admin for mycompany.com. I create an OU called Test1,
that
Rats, sorry about the obvious question. I was having operating system
interference from Novell NDS, since there actually -was- a way to
rather nastily lock yourself out of portions of the NDS tree by doing
that.
(Why this interference happened just now, I don't know, since I haven't
touched an
Agreed. I can't imagine a way to have that kind of isolated OU the
way Active Directory is currently laid out - I'm seeing the words
security boundary and new forest in my head before I get even three
seconds into the thought. Though it would certainly solve the problem
of wanting to create that
Morning all,
So I've been reading through the Deployment Kit and the product docs for
2003, and I think I'm not grasping a small-but-fundamental point about
how DNS zones relate to AD domains.
Let's say I create a new child domain within AD. I've already got
foo.com configured, and now I want
Thanks a lot Dean. So tell me if I've got this right, so I'll know that
I've finally wrapped my brain around it:
1. If I configure the baz.foo.com child domain, but make no changes to
my DNS structure, then clients in the baz.foo.com domain will still
point to the nameserver in foo.com.
Afternoon all,
Is there an easy (okay, easy...ish?) way to query a 2K3 cluster from the
command-line for Tell me which cluster node is hosting this resource?
The short back-story: I've clustered this monster document-imaging
application that
[1] doesn't understand clustering, and
[2] creates
Morning all,
Can someone who has a Windows 2000-only domain handy confirm something
for me?
Is the GPMC functionality of copying GPOs available in a Windows 2000
domain, or just Windows Server 2003? I know that some functionality
isn't available if you're on a 2000-only domain, but I haven't
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Hunter, Laura E.
Sent: 15 December 2004 16:22
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPMC Windows 2000
Morning all,
Can someone who has a Windows 2000-only domain handy confirm
something for me?
Is the GPMC functionality
Hey Tim,
You don't happen to have a copy of that .BAT file, do you? The
winscriptingsolutions site is being really obstinate in coughing up the
actual code, maybe it's a subscriber-only function or something.
If you have it, could you zip it up to get past my filters and shoot it
over to me?
So I just want some opinions to make sure I'm not missing out on
anything:
I need to copy off about 150GB of data, around 2 million files, from one
server to another, and preferably not sit and babysit the process from
start to finish since it'll be running over the Christmas holiday. Is
Remember my I'm getting hammered with brute-force attacks as if 'Do not allow
enumeration of SAM' setting wasn't there even though it is problem?
Found the solution today.
Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous
key in 2000, that you needed to set
Someday I'll learn to hit Reply-to-All when I do this. :-)
-Original Message-
From: Hunter, Laura E.
Sent: Thursday, October 07, 2004 8:54 AM
To: 'Mulnick, Al'
Subject: RE: [ActiveDir] Windows Server 2003 Security Weirdness
but what's this? Why is the primary DNS server
saying
Can you give a little more information about what you're
seeing? I saw this part: The brute-forcing is taking place solely on
the
remaining 2000 DCs but I'm interested in why you say it's a DoS
attack. What
other information led to the conclusion? What's happening on the 2000
servers
Is it possible that the accounts are being denied when they
shouldn't be? Is it possible this is a symptom of your problem,
meaning
that if your 2000 machine cannot get a response from DNS (at least in
time), it
may be denying somebody legitimate access to something they should
have access
Well, I'm chalking this one up to not my DNS, since the issue seems to
have gone away on its own overnight last night. Maybe there were some
SRV records that didn't get created right away when I registered the
2003 DC or something, and replication was badly affected as a result.
Either way, it's
So I upgraded my production 2000 AD domain by promoting a 2003 member
server to DC status. (Running through all of the adprep prerequisites
beforehand, obviously.)
Domain forest functionality level are Windows 2000 native.
2003 server holds the RID Master PDC Emulator roles. A 2000 DC holds
Guess that would've helped, huh?
DCDIAG:
DC Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Default-First-Site-Name\SFS-FKBB05
Starting test: Connectivity
. SFS-FKBB05 passed
So I may be inheriting a new network that needs to do the 5.5 on NT4 to
2003 on 2003 shuffle. Your basic Google search returns any number of
resources, obviously; but what does my favourite group of smart people
have to say? Recommended Books/FAQs/Blogs/Sites that will make me not
want to kill
Forgive me, I was too quick on the [Del] key and don't remember the
exact subject header for this thread.
If I'm understand you correctly, your connectivity is fine up until the
point where you install DNS on your domain controller, correct?
Is there a Root Hints zone configured on your DNS
Evening all,
Just looking for some recommendations from my favourite smart people:
what (if anything) do you all use for disk defragmenting in an
enterprise scenario? I'm tyring to find something nicely schedule-able
and manage-able from a single console, and the built-in 200/3 jobbie
(while a
Wow. Go-go-gadget Google-search! Some nice person on OutlookExchange
seems to have written precisely the thing that I need.
http://www.outlookexchange.com/articles/glenscales/mtrackrs.asp
If the author of this article lurks on this list: BLESS YOU! :-)
- Laura
List info :
tracking enabled ;)
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Hunter, Laura E.
Sent: Wednesday, June 23, 2004 2:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Exchange Accounting
Wow. Go-go-gadget Google-search! Some
I can appreciate the trade-off but if you have to have this
information for an application (such as yours)
it may not be the way to go. The only absolute way to know a message
is in an inbox is to read it
from that inbox. If your server never gets busy, kindly disregard :)
Thanks for the
Of Hunter, Laura
E.
Sent: Wednesday, June 23, 2004 7:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Exchange Accounting
I can appreciate the trade-off but if you have to have this
information for an application (such as yours)
it may not be the way to go. The only absolute way to know
Morning all,
Okay, here's the situation (my parents went away on a... Stoppit,
Laura, you're having an '80s flashback):
I have an Exchange 2000 mailbox set up as a drop-box for general
customer service support inquiries for my office. The manager of the CS
area wants to keep track of how many
Title: [ActiveDir] OT: Sysprep and workstation images
Try setting a compliant password in the
image, and then putting Whatever has to go in the AdminPassword key to prompt
the user.
Yeah, that's the part the only -sorta- works. The password policy
in the image is onlybeing enforced for
(Man, Tony's gonna get really mad at me for being so continuously
off-topic. :-) But this is my List full of really smart people, so I
keep coming to you guys for non-AD-specific stuff that I can't figure
out.)
Scenario:
I work for a major university, and each fall we offer Back-to-School
Let's reset: If I understand correctly, when you set the app
to send email, you get the following ONLY in the log:
2004-06-07 18:12:32 %IP-ADDRESS-OF-WEB-SERVER% localhost.localdomain
SMTPSVC1 HELO 250
2004-06-07 18:12:32 %IP-ADDRESS-OF-WEB-SERVER% localhost.localdomain
SMTPSVC1 QUIT 240
Afternoon, everyone.
I did an in-place upgrade of my Exchange 5.5 box this weekend and
brought it up to 2000. For the most part, everything is looking
hunky-dory, with one really heinous exception.
I have a web application written in PHP (don't ask, I had no say in the
matter), that uses the
Title: RE: [ActiveDir] Exchange 2003 Question
Not necessarily. You can configure your page file to live on the
same drive as the OS, on a separate drive, or to exist across multiple
drives. If you remove the pagefile from the "OS drive" (read: set the
maximum size to 0), you will lose
snip
First, do the NT4 clients have
the DSClient installed, and if so, does it make a difference?
I've tried installing the DSClient - doesn't seem to make a difference
whether the clients have it installed or not.
Second, are you still running WINS in the environment?
Oh yes, much
Okay, this is something that I've filed in the I'll live with it column
for awhile:
Windows 2000 Active Directory domain.
Still supporting NT4 clients.
Using BIND DNS that does -not- have dynamic updates enabled: whenever I
create a DC, I am required to manually upload the netlogon.dns into
And speaking of bars:
Roger or Tony - did you guys happen to scoop up my camera from our table
at the W on Wednesday night? It's a crummy throw-away $10 jobbie, but it
had some really cool pictures on it and I'm sad that I forgot it.
:-(
From: Roger Seielstad
[mailto:[EMAIL
79 matches
Mail list logo
